Websphere JSESSIONID cookie overwrite between two apps on the same domain (different ports / context roots)

sessionwebsphere

Background

I have two webshpere apps

(installed on two separate profiles, and both the ports and context roots are different)

Scenario

  • When logging into app1, users get a JSESSIONID cookie X
  • When logging into app2 in another browser tab (IE8) user gets a JESSSIONID cookie Y

Problem

  • When logging into app2, the JSESSIONID cookie value Y overwrites the value X, thus invalidation the session of app1 (user is thrown back to login page if they do anything)

Question

  • Is that the default behavior? it looks weird that two web apps can share a JSESSIONID cookie
  • Is there a way to configure the two web apps to have JSESSIONID cookie isolation?

Best Answer

Those two apps are unaware of each other since they're in separate profiles. So I expect the second one sees a session ID it doesn't recognize, assumes it's an expired one, and creates a new one.

You can change one of the application's cookie name to something other than JSESSIONID or you can change its path so that it is only sent back for /app1 or /app2.

Either server-wide under Servers > Server name > Session Management > Enable Cookies or for the particular application(s) under Enterprise Applications > Application name > Session Management > Enable Cookies. If you choose the latter, you have to also check Override session management.